13:["$","$L31",null,{"pageReplacement":"$undefined","getWebVital":false,"pageId":"bug-reports-bic-notes-report-36912","records":{"block":{"bug-reports-bic-notes-report-36912":{"id":"bug-reports-bic-notes-report-36912","children":["1d96d11db45480f09890cf80dd093926","1d96d11db45480ac92f9e9046aae1285","1d96d11db45480b09d31e730e446bd81","1d96d11db454800dbe00e3f77d4103ba"],"hasContent":true,"parentId":"81d407a13ac34b24afbd8ae2f633beb8","title":[["Report #36912"]],"updatedAt":1745002322110,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"📄","createdTime":1744999162471,"lastEditedTime":1745002322110,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"layout":null,"propertySort":[{"property":"{a|D","visibility":"show","type":"date","name":"Report Date"},{"property":"GnWs","visibility":"show","type":"select","name":"Status"},{"property":"Fh<[","visibility":"show","type":"number","name":"Payout"}],"uri":"/bug-reports/bic-notes/report-36912","fullWidth":false,"smallText":false,"noCover":true,"superProperties":{},"propertyValues":{"{a|D":[["‣",[["d",{"type":"date","start_date":"2024-11-19"}]]]],"GnWs":[{"color":"gray","value":"Closed"}]},"blockId":"1d96d11d-b454-8094-be6b-de80ae0a2259"},"bug-reports":{"id":"bug-reports","children":[],"hasContent":true,"parentId":"a5a7bf6b51ec4b68b32f2007f41274ef","title":[["Bug Reports"]],"updatedAt":1730166674632,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"🪲","coverPosition":0.2693,"createdTime":1666242480000,"lastEditedTime":1730166674632,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"description":null,"cover":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/a2bce83a-eb08-4b8a-84dd-4de45ceb9115/dalle/public","uri":"/bug-reports","blockId":"f653305e-4ed7-4734-bb5d-fe173aa8d98f"},"d2246af0639c440b9153316b52856b7d":{"id":"d2246af0639c440b9153316b52856b7d","children":[],"hasContent":true,"parentId":"7152ae7a68b846a18b9ad3f2b742cf39","title":[["Beanstalk Notion"]],"updatedAt":1726681064870,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/8eb7da25-afae-45ec-95dc-67fbfc3937de/bean-200x200/public","coverPosition":0.1349,"createdTime":1665459157361,"lastEditedTime":1726681064870,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"description":null,"cover":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/55f768dc-bb88-491b-8aaf-55c802563c47/bg-mainnet/public","uri":"/d2246af0639c440b9153316b52856b7d","blockId":"d2246af0-639c-440b-9153-316b52856b7d"},"bug-reports-bic-notes":{"id":"bug-reports-bic-notes","children":[],"hasContent":false,"parentId":"bug-reports","title":[["BIC Notes"]],"updatedAt":1745001819636,"type":"collection_page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","uri":"/bug-reports/bic-notes","collectionId":"81d407a1-3ac3-4b24-afbd-8ae2f633beb8","views":[],"cover":null,"description":[],"coverPosition":1},"links":{"id":"links","children":[],"hasContent":false,"parentId":"d2246af0639c440b9153316b52856b7d","title":[["Links"]],"updatedAt":1674433368143,"type":"collection_page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","uri":"/links","collectionId":"a5a7bf6b-51ec-4b68-b32f-2007f41274ef","views":[],"icon":"🔗","cover":null,"description":[["Pages in the Beanstalk Community Resource Center."]],"coverPosition":1},"1d96d11db45480f09890cf80dd093926":{"id":"1d96d11db45480f09890cf80dd093926","children":[],"hasContent":false,"parentId":"bug-reports-bic-notes-report-36912","title":[["Arbitrary Code Execution in Beanstalk Governance Leads to Redirection of Users to Malicious Websites, and More...",[["b",null]]]],"updatedAt":1745002112831,"type":"heading","subType":"sub_header","depth":2},"1d96d11db45480ac92f9e9046aae1285":{"id":"1d96d11db45480ac92f9e9046aae1285","children":["1d96d11db45480768faacc686cc2c5f1","1d96d11db45480b9baaed8c08d503223","1d96d11db45480a6be57c9f2b8f97895","1d96d11db4548000820bef1ea8c090cb","1d96d11db454805d8381ee8522573f1e","1d96d11db454808fa043c2be368884fb","1d96d11db45480709135ce707ed81a0f","1d96d11db4548090a0fff651c430dbef","1d96d11db45480ba8f9fc3b0320a442d","1d96d11db454800ba208cf9a1efdf7be","1d96d11db45480209d08dbc840001696","1d96d11db4548093b58ffd51a2c3808d","1d96d11db45480418263c16cba31f65e","1d96d11db45480bb9a93d243d342efc7","1d96d11db454809fb583ca8aa51b1ec7","1d96d11db45480a883a1dce74720db6e","1d96d11db45480de82a0dd32558e0810","1d96d11db45480c184d5cf5d580b44ce","1d96d11db454800c9f97f20752df4101","1d96d11db45480ecb6b5e87a53913d72","1d96d11db4548024b571c90ce7a60361","1d96d11db45480659775dd7472c633d7","1d96d11db45480bea17bdd243264743b","1d96d11db4548038b64acd45e182b4e2","1d96d11db45480998cc4f2ef55bb69e4","1d96d11db4548001ac60d17b8a13ac90","1d96d11db4548065b0b5f5fe2535225f","1d96d11db454800e91cffed9b2c868d7","1d96d11db45480c6b41fe06438d6e8bc","1d96d11db45480ed805cd7a3e42ecee8","1d96d11db45480e68f37d546fc7ef6ea","1d96d11db454806db4c4fad2228981a0"],"hasContent":true,"parentId":"bug-reports-bic-notes-report-36912","title":[["Report Info",[["b",null]]]],"updatedAt":1745002240147,"type":"toggle","subType":null,"depth":null,"color":null},"1d96d11db45480768faacc686cc2c5f1":{"id":"1d96d11db45480768faacc686cc2c5f1","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Report ID",[["b",null]]]],"updatedAt":1745002150733,"type":"text"},"1d96d11db45480b9baaed8c08d503223":{"id":"1d96d11db45480b9baaed8c08d503223","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["#36912"]],"updatedAt":1745002148704,"type":"text"},"1d96d11db45480a6be57c9f2b8f97895":{"id":"1d96d11db45480a6be57c9f2b8f97895","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Report type",[["b",null]]]],"updatedAt":1745002154382,"type":"text"},"1d96d11db4548000820bef1ea8c090cb":{"id":"1d96d11db4548000820bef1ea8c090cb","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Websites and Applications"]],"updatedAt":1745002152744,"type":"text"},"1d96d11db454805d8381ee8522573f1e":{"id":"1d96d11db454805d8381ee8522573f1e","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Has PoC?",[["b",null]]]],"updatedAt":1745002157238,"type":"text"},"1d96d11db454808fa043c2be368884fb":{"id":"1d96d11db454808fa043c2be368884fb","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Yes"]],"updatedAt":1745002146362,"type":"text"},"1d96d11db45480709135ce707ed81a0f":{"id":"1d96d11db45480709135ce707ed81a0f","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Target",[["b",null]]]],"updatedAt":1745002158838,"type":"text"},"1d96d11db4548090a0fff651c430dbef":{"id":"1d96d11db4548090a0fff651c430dbef","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["https://app.bean.money",[["a","https://app.bean.money"]]]],"updatedAt":1745002161733,"type":"text"},"1d96d11db45480ba8f9fc3b0320a442d":{"id":"1d96d11db45480ba8f9fc3b0320a442d","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Impacts",[["b",null]]]],"updatedAt":1745002163453,"type":"text"},"1d96d11db454800ba208cf9a1efdf7be":{"id":"1d96d11db454800ba208cf9a1efdf7be","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Redirecting users to malicious websites"]],"updatedAt":1745002164420,"type":"text"},"1d96d11db45480209d08dbc840001696":{"id":"1d96d11db45480209d08dbc840001696","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Description"]],"updatedAt":1745002146362,"type":"heading","subType":"sub_sub_header","depth":3},"1d96d11db4548093b58ffd51a2c3808d":{"id":"1d96d11db4548093b58ffd51a2c3808d","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Hello team,"]],"updatedAt":1745002146362,"type":"text"},"1d96d11db45480418263c16cba31f65e":{"id":"1d96d11db45480418263c16cba31f65e","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["A critical Insecure Direct Object Reference (IDOR) vulnerability exists in the "],["https://app.bean.money/#/governance/",[["c",null]]],[" endpoint, allowing attackers to manipulate the "],["proposal-id",[["c",null]]],[" parameter in the URL. This flaw enables unauthorized users to craft arbitrary governance proposal IDs, triggering unintended application behaviors that may lead to severe security issues such as arbitrary code execution, open redirects, and other malicious exploits."]],"updatedAt":1745002180300,"type":"text"},"1d96d11db45480bb9a93d243d342efc7":{"id":"1d96d11db45480bb9a93d243d342efc7","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["The governance application fetches proposal details directly from the snapshot based on the "],["proposal-id",[["c",null]]],[" provided in the URL, without proper validation or sanitization. As a result, any arbitrary or malicious proposal ID can be appended, and the application will attempt to process it. For example, replacing a official valid governance proposal ID (e.g., "],["https://app.bean.money/#/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d",[["c",null]]],[") with an attacker-controlled proposal ID ("],["https://app.bean.money/#/governance/",[["c",null]]],[") could trigger malicious behaviors depending on the code in the proposal. This creates significant risks such as arbitrary code execution, redirection of users to malicious websites, funds loss, and other potential exploits."]],"updatedAt":1745002195255,"type":"text"},"1d96d11db454809fb583ca8aa51b1ec7":{"id":"1d96d11db454809fb583ca8aa51b1ec7","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Fix"]],"updatedAt":1745002203765,"type":"heading","subType":"sub_sub_header","depth":3},"1d96d11db45480a883a1dce74720db6e":{"id":"1d96d11db45480a883a1dce74720db6e","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["As you own the domain "],["https://app.bean.money/",[["c",null]]],[", only official Beanstalk governance URLs should be accessible on this domain. For instance, URLs from your official ENS Snapshot governance should be the only ones that work on "],["https://app.bean.money/",[["c",null]]],[", and no others should be allowed. For example, construct a URL like this: "],["https://app.bean.money/#//governance/",[["c",null]]],[". A possible URL could be: "],["https://app.bean.money/#/beanstalkdao.eth/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d",[["a","https://app.bean.money/#/beanstalkdao.eth/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d"]]],[". If someone tries to manipulate the proposal ID in the URL, such as "],["https://app.bean.money/#/beanstalkdao.eth/governance/",[["c",null]]],[", the server should invalidate it based on the structure "],["https://app.bean.money/#/beanstalkdao.eth/*",[["c",null]]],[" in the URL. (This is just a suggestion, and I am not sure how it would be implemented.) If anyone tries to manipulate the proposal URL, the application should return a 404 or an \"Invalid Proposal\" error instead of processing a potentially malicious URL."]],"updatedAt":1745002223937,"type":"text"},"1d96d11db45480de82a0dd32558e0810":{"id":"1d96d11db45480de82a0dd32558e0810","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Impact"]],"updatedAt":1745002227845,"type":"heading","subType":"sub_sub_header","depth":3},"1d96d11db45480c184d5cf5d580b44ce":{"id":"1d96d11db45480c184d5cf5d580b44ce","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["The impact of this issue is severe, as it allows attackers to manipulate proposal IDs, leading to potential arbitrary code execution, unauthorized manipulation of governance voting data, and open redirects to malicious websites. This vulnerability can result in the loss of funds and malicious exploitation of the governance process, depending on the nature of the malicious code involved.This represents a critical security risk."]],"updatedAt":1745002237321,"type":"text"},"1d96d11db454800c9f97f20752df4101":{"id":"1d96d11db454800c9f97f20752df4101","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Proof of concept"]],"updatedAt":1745002146362,"type":"heading","subType":"sub_sub_header","depth":3},"1d96d11db45480ecb6b5e87a53913d72":{"id":"1d96d11db45480ecb6b5e87a53913d72","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["1. "],["Access a valid official Beanstalk governance proposal:",[["b",null]]]],"updatedAt":1745002245544,"type":"text"},"1d96d11db4548024b571c90ce7a60361":{"id":"1d96d11db4548024b571c90ce7a60361","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Start by visiting a valid governance proposal on the Beanstalk platform: "],["https://app.bean.money/#/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d",[["a","https://app.bean.money/#/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d"]]]],"updatedAt":1745002146362,"type":"text"},"1d96d11db45480659775dd7472c633d7":{"id":"1d96d11db45480659775dd7472c633d7","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["This above URL should load the official governance proposal for BIP-50: Reseed Beanstalk)."]],"updatedAt":1745002146362,"type":"text"},"1d96d11db45480bea17bdd243264743b":{"id":"1d96d11db45480bea17bdd243264743b","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["2. "],["Manipulate the Proposal ID in the URL:",[["b",null]]]],"updatedAt":1745002251917,"type":"text"},"1d96d11db4548038b64acd45e182b4e2":{"id":"1d96d11db4548038b64acd45e182b4e2","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["My own test proposal ID: "],["0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1",[["c",null]]],[" for redirecting users to malicious websites "],["https://snapshot.org/#/opalnode.eth/proposal/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1",[["a","https://snapshot.org/#/opalnode.eth/proposal/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1"]]]],"updatedAt":1745002146362,"type":"text"},"1d96d11db45480998cc4f2ef55bb69e4":{"id":"1d96d11db45480998cc4f2ef55bb69e4","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Modify the proposal ID in the URL to an arbitrary or malicious one. For example:"]],"updatedAt":1745002146362,"type":"text"},"1d96d11db4548001ac60d17b8a13ac90":{"id":"1d96d11db4548001ac60d17b8a13ac90","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["https://app.bean.money/#/governance/"]],"updatedAt":1745002259974,"type":"code","language":"Plain Text","wrap":true,"link":null},"1d96d11db4548065b0b5f5fe2535225f":{"id":"1d96d11db4548065b0b5f5fe2535225f","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["PoC"]],"updatedAt":1745002265102,"type":"heading","subType":"sub_sub_header","depth":3},"1d96d11db454800e91cffed9b2c868d7":{"id":"1d96d11db454800e91cffed9b2c868d7","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Open the URL: "],["https://app.bean.money/#/governance/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1",[["a","https://app.bean.money/#/governance/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1"]]]],"updatedAt":1745002282159,"type":"text"},"1d96d11db45480c6b41fe06438d6e8bc":{"id":"1d96d11db45480c6b41fe06438d6e8bc","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["You will see arbitrary code execution and be redirected to a malicious website "],["https://attacker.com/",[["a","https://attacker.com/"]]]],"updatedAt":1745002285781,"type":"text"},"1d96d11db45480ed805cd7a3e42ecee8":{"id":"1d96d11db45480ed805cd7a3e42ecee8","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Please see the attached PoC : "],["https://drive.google.com/file/d/1uc6g5C1e1QH1cj-CiP_nO7vf81-bYn7D/view?usp=sharing",[["a","https://drive.google.com/file/d/1uc6g5C1e1QH1cj-CiP_nO7vf81-bYn7D/view?usp=sharing"]]],[" Sorry, while recording the PoC, my network was slow, and the website loaded very slowly. Anyway, I hope it’s clear"]],"updatedAt":1745002290111,"type":"text"},"1d96d11db45480e68f37d546fc7ef6ea":{"id":"1d96d11db45480e68f37d546fc7ef6ea","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["Note, this is a simple test code for redirecting users to malicious websites. In this case, it will redirect to attacker.com. The impact of this vulnerability depends on the nature of the malicious code involved. For the PoC (proof of concept), I have shown a simple redirection to attacker.com"]],"updatedAt":1745002302464,"type":"text"},"1d96d11db454806db4c4fad2228981a0":{"id":"1d96d11db454806db4c4fad2228981a0","children":[],"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":[["The status and severity are at your discretion. Let me know if you want further information."]],"updatedAt":1745002146362,"type":"text"},"1d96d11db45480b09d31e730e446bd81":{"id":"1d96d11db45480b09d31e730e446bd81","children":[],"hasContent":false,"parentId":"bug-reports-bic-notes-report-36912","title":[["BIC Response"]],"updatedAt":1745002326710,"type":"heading","subType":"sub_header","depth":2},"1d96d11db454800dbe00e3f77d4103ba":{"id":"1d96d11db454800dbe00e3f77d4103ba","children":[],"hasContent":false,"parentId":"bug-reports-bic-notes-report-36912","title":[["Thank you for your report. Upon review, we have determined the impact to be out of scope of our bug bounty program. Thus we are closing the report and no reward will be issued."]],"updatedAt":1745002327657,"type":"text"}},"team":{"7152ae7a-68b8-46a1-8b9a-d3f2b742cf39":{"role":"none"}},"form_question":{},"entity":{},"pageId":"1d96d11db4548094be6bde80ae0a2259","pagesToCreate":[]},"settings":{"siteId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3","userId":"94389423-1c7a-40c3-9765-f058817c571a","domainName":"community.bean.money","name":"Beanstalk Notion","active":true,"free":false,"tier":"personal","favicon":null,"fontFamily":"Inter","legacyTheme":"default","language":"en","notionPage":"d2246af0639c440b9153316b52856b7d","indexPageId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3:::46bdfa5c-fa89-4a73-825f-88aeb87b1162","pageProperties":true,"pageSyncing":true,"viewSwitcher":true,"layoutSidePanel":true,"siteSearch":true,"advancedSearch":false,"themeToggle":false,"mondayFirst":false,"loadLimits":false,"hidePersonInfo":false,"showPropertyIcons":false,"redirectSubdomain":null,"noIndex":false,"viewsExceeded":false,"cacheTTL":180000,"manualSync":false,"syncStatus":"unsynced","publishedAt":null,"navbar":null,"footer":null,"sidebar":null,"theme":null,"code":{"head":[],"body":[],"style":[],"css":""},"files":[],"hasPassword":false,"hasFeed":false},"smallText":false,"config":"$undefined","pageLocation":"/bug-reports/bic-notes/report-36912","passwords":[],"styles":"","children":[["$","main",null,{"id":"page-bug-reports-bic-notes-report-36912","className":"super-content page__bug-reports-bic-notes-report-36912 parent-page__bug-reports-bic-notes","children":[["$","$L32",null,{"url":"https://community.bean.money/bug-reports/bic-notes/report-36912","title":"Report #36912","description":"Thank you for your report. Upon review, we have determined the impact to be out of scope of our bug bounty program. Thus we are closing the report and no reward will be issued.","root":{"id":"d2246af0639c440b9153316b52856b7d","uri":"/","title":"Beanstalk Notion","icon":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/8eb7da25-afae-45ec-95dc-67fbfc3937de/bean-200x200/public"},"image":null,"canonical":null,"author":null,"favicon":null,"breadcrumbs":[{"id":"bug-reports","uri":"/bug-reports","title":"Bug Reports","icon":"🪲"},{"id":"bug-reports-bic-notes","uri":"/bug-reports/bic-notes","title":"BIC Notes","icon":null},{"id":"bug-reports-bic-notes-report-36912","uri":"/bug-reports/bic-notes/report-36912","title":"Report #36912","icon":"📄"}],"siteId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3","userId":"94389423-1c7a-40c3-9765-f058817c571a","domainName":"community.bean.money","name":"Beanstalk Notion","active":true,"free":false,"tier":"personal","fontFamily":"Inter","legacyTheme":"default","language":"en","notionPage":"d2246af0639c440b9153316b52856b7d","indexPageId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3:::46bdfa5c-fa89-4a73-825f-88aeb87b1162","pageProperties":true,"pageSyncing":true,"viewSwitcher":true,"layoutSidePanel":true,"siteSearch":true,"advancedSearch":false,"themeToggle":false,"mondayFirst":false,"loadLimits":false,"hidePersonInfo":false,"showPropertyIcons":false,"redirectSubdomain":null,"noIndex":false,"viewsExceeded":false,"cacheTTL":180000,"manualSync":false,"syncStatus":"unsynced","publishedAt":null,"navbar":null,"footer":null,"sidebar":null,"theme":null,"code":"$33","files":"$37","hasPassword":false,"hasFeed":false}],null,null,["$","div",null,{"className":"notion-header page","children":[["$","div",null,{"className":"notion-header__cover no-cover has-icon","children":null}],["$","div",null,{"className":"notion-header__content max-width no-cover has-icon","children":[["$","div",null,{"className":"notion-header__title-wrapper","children":[["$","div",null,{"className":"notion-header__icon-wrapper no-cover has-icon","children":["$","div",null,{"children":"📄"}]}],["$","h1",null,{"className":"notion-header__title","children":"Report #36912"}]]}],null]}]]}],["$","$L38",null,{"id":"bug-reports-bic-notes-report-36912","children":[[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db45480f09890cf80dd093926"}],["$","h2",null,{"id":"block-1d96d11db45480f09890cf80dd093926","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$39","0-Arbitrary Code Execution in Beanstalk Governance Leads to Redirection of Users to Malicious Websites, and More...",{"children":"Arbitrary Code Execution in Beanstalk Governance Leads to Redirection of Users to Malicious Websites, and More..."}]}]],"$undefined"]}]],["$","$L3a","1d96d11db45480ac92f9e9046aae1285",{"id":"1d96d11db45480ac92f9e9046aae1285","children":[["$","p",null,{"id":"block-1d96d11db45480768faacc686cc2c5f1","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$39","0-Report ID",{"children":"Report ID"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480b9baaed8c08d503223","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-#36912",{"children":"#36912"}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480a6be57c9f2b8f97895","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$39","0-Report type",{"children":"Report type"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db4548000820bef1ea8c090cb","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Websites and Applications",{"children":"Websites and Applications"}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db454805d8381ee8522573f1e","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$39","0-Has PoC?",{"children":"Has PoC?"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db454808fa043c2be368884fb","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Yes",{"children":"Yes"}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480709135ce707ed81a0f","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$39","0-Target",{"children":"Target"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db4548090a0fff651c430dbef","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$L3b","https://app.bean.money",{"className":"link","uri":"https://app.bean.money","children":["$","$39","0-https://app.bean.money",{"children":"https://app.bean.money"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480ba8f9fc3b0320a442d","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$39","0-Impacts",{"children":"Impacts"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db454800ba208cf9a1efdf7be","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Redirecting users to malicious websites",{"children":"Redirecting users to malicious websites"}]],"$undefined"]}],[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db45480209d08dbc840001696"}],["$","h3",null,{"id":"block-1d96d11db45480209d08dbc840001696","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","$39","0-Description",{"children":"Description"}]],"$undefined"]}]],["$","p",null,{"id":"block-1d96d11db4548093b58ffd51a2c3808d","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Hello team,",{"children":"Hello team,"}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480418263c16cba31f65e","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-A critical Insecure Direct Object Reference (IDOR) vulnerability exists in the ",{"children":"A critical Insecure Direct Object Reference (IDOR) vulnerability exists in the "}],["$","code","0-c",{"className":"code","children":["$","$39","1-https://app.bean.money/#/governance/",{"children":"https://app.bean.money/#/governance/"}]}],["$","$39","2- endpoint, allowing attackers to manipulate the ",{"children":" endpoint, allowing attackers to manipulate the "}],["$","code","0-c",{"className":"code","children":["$","$39","3-proposal-id",{"children":"proposal-id"}]}],["$","$39","4- parameter in the URL. This flaw enables unauthorized users to craft arbitrary governance proposal IDs, triggering unintended application behaviors that may lead to severe security issues such as arbitrary code execution, open redirects, and other malicious exploits.",{"children":" parameter in the URL. This flaw enables unauthorized users to craft arbitrary governance proposal IDs, triggering unintended application behaviors that may lead to severe security issues such as arbitrary code execution, open redirects, and other malicious exploits."}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480bb9a93d243d342efc7","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-The governance application fetches proposal details directly from the snapshot based on the ",{"children":"The governance application fetches proposal details directly from the snapshot based on the "}],["$","code","0-c",{"className":"code","children":["$","$39","1-proposal-id",{"children":"proposal-id"}]}],["$","$39","2- provided in the URL, without proper validation or sanitization. As a result, any arbitrary or malicious proposal ID can be appended, and the application will attempt to process it. For example, replacing a official valid governance proposal ID (e.g., ",{"children":" provided in the URL, without proper validation or sanitization. As a result, any arbitrary or malicious proposal ID can be appended, and the application will attempt to process it. For example, replacing a official valid governance proposal ID (e.g., "}],["$","code","0-c",{"className":"code","children":["$","$39","3-https://app.bean.money/#/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d",{"children":"https://app.bean.money/#/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d"}]}],["$","$39","4-) with an attacker-controlled proposal ID (",{"children":") with an attacker-controlled proposal ID ("}],["$","code","0-c",{"className":"code","children":["$","$39","5-https://app.bean.money/#/governance/",{"children":"https://app.bean.money/#/governance/"}]}],["$","$39","6-) could trigger malicious behaviors depending on the code in the proposal. This creates significant risks such as arbitrary code execution, redirection of users to malicious websites, funds loss, and other potential exploits.",{"children":") could trigger malicious behaviors depending on the code in the proposal. This creates significant risks such as arbitrary code execution, redirection of users to malicious websites, funds loss, and other potential exploits."}]],"$undefined"]}],[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db454809fb583ca8aa51b1ec7"}],["$","h3",null,{"id":"block-1d96d11db454809fb583ca8aa51b1ec7","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","$39","0-Fix",{"children":"Fix"}]],"$undefined"]}]],["$","p",null,{"id":"block-1d96d11db45480a883a1dce74720db6e","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-As you own the domain ",{"children":"As you own the domain "}],["$","code","0-c",{"className":"code","children":["$","$39","1-https://app.bean.money/",{"children":"https://app.bean.money/"}]}],["$","$39","2-, only official Beanstalk governance URLs should be accessible on this domain. For instance, URLs from your official ENS Snapshot governance should be the only ones that work on ",{"children":", only official Beanstalk governance URLs should be accessible on this domain. For instance, URLs from your official ENS Snapshot governance should be the only ones that work on "}],["$","code","0-c",{"className":"code","children":["$","$39","3-https://app.bean.money/",{"children":"https://app.bean.money/"}]}],["$","$39","4-, and no others should be allowed. For example, construct a URL like this: ",{"children":", and no others should be allowed. For example, construct a URL like this: "}],["$","code","0-c",{"className":"code","children":["$","$39","5-https://app.bean.money/#//governance/",{"children":"https://app.bean.money/#//governance/"}]}],["$","$39","6-. A possible URL could be: ",{"children":". A possible URL could be: "}],["$","$L3b","https://app.bean.money/#/beanstalkdao.eth/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d",{"className":"link","uri":"https://app.bean.money/#/beanstalkdao.eth/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d","children":["$","$39","7-https://app.bean.money/#/beanstalkdao.eth/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d",{"children":"https://app.bean.money/#/beanstalkdao.eth/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d"}]}],["$","$39","8-. If someone tries to manipulate the proposal ID in the URL, such as ",{"children":". If someone tries to manipulate the proposal ID in the URL, such as "}],["$","code","0-c",{"className":"code","children":["$","$39","9-https://app.bean.money/#/beanstalkdao.eth/governance/",{"children":"https://app.bean.money/#/beanstalkdao.eth/governance/"}]}],["$","$39","10-, the server should invalidate it based on the structure ",{"children":", the server should invalidate it based on the structure "}],["$","code","0-c",{"className":"code","children":["$","$39","11-https://app.bean.money/#/beanstalkdao.eth/*",{"children":"https://app.bean.money/#/beanstalkdao.eth/*"}]}],["$","$39","12- in the URL. (This is just a suggestion, and I am not sure how it would be implemented.) If anyone tries to manipulate the proposal URL, the application should return a 404 or an \"Invalid Proposal\" error instead of processing a potentially malicious URL.",{"children":" in the URL. (This is just a suggestion, and I am not sure how it would be implemented.) If anyone tries to manipulate the proposal URL, the application should return a 404 or an \"Invalid Proposal\" error instead of processing a potentially malicious URL."}]],"$undefined"]}],[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db45480de82a0dd32558e0810"}],["$","h3",null,{"id":"block-1d96d11db45480de82a0dd32558e0810","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","$39","0-Impact",{"children":"Impact"}]],"$undefined"]}]],["$","p",null,{"id":"block-1d96d11db45480c184d5cf5d580b44ce","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-The impact of this issue is severe, as it allows attackers to manipulate proposal IDs, leading to potential arbitrary code execution, unauthorized manipulation of governance voting data, and open redirects to malicious websites. This vulnerability can result in the loss of funds and malicious exploitation of the governance process, depending on the nature of the malicious code involved.This represents a critical security risk.",{"children":"The impact of this issue is severe, as it allows attackers to manipulate proposal IDs, leading to potential arbitrary code execution, unauthorized manipulation of governance voting data, and open redirects to malicious websites. This vulnerability can result in the loss of funds and malicious exploitation of the governance process, depending on the nature of the malicious code involved.This represents a critical security risk."}]],"$undefined"]}],[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db454800c9f97f20752df4101"}],["$","h3",null,{"id":"block-1d96d11db454800c9f97f20752df4101","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","$39","0-Proof of concept",{"children":"Proof of concept"}]],"$undefined"]}]],["$","p",null,{"id":"block-1d96d11db45480ecb6b5e87a53913d72","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-1. ",{"children":"1. "}],["$","strong","0-b",{"children":["$","$39","1-Access a valid official Beanstalk governance proposal:",{"children":"Access a valid official Beanstalk governance proposal:"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db4548024b571c90ce7a60361","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Start by visiting a valid governance proposal on the Beanstalk platform: ",{"children":"Start by visiting a valid governance proposal on the Beanstalk platform: "}],["$","$L3b","https://app.bean.money/#/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d",{"className":"link","uri":"https://app.bean.money/#/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d","children":["$","$39","1-https://app.bean.money/#/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d",{"children":"https://app.bean.money/#/governance/0xb5f21487caf4e7b0ddd1ac536a4165ea21eb18348987aec95e1cb56148ca916d"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480659775dd7472c633d7","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-This above URL should load the official governance proposal for BIP-50: Reseed Beanstalk).",{"children":"This above URL should load the official governance proposal for BIP-50: Reseed Beanstalk)."}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480bea17bdd243264743b","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-2. ",{"children":"2. "}],["$","strong","0-b",{"children":["$","$39","1-Manipulate the Proposal ID in the URL:",{"children":"Manipulate the Proposal ID in the URL:"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db4548038b64acd45e182b4e2","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-My own test proposal ID: ",{"children":"My own test proposal ID: "}],["$","code","0-c",{"className":"code","children":["$","$39","1-0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1",{"children":"0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1"}]}],["$","$39","2- for redirecting users to malicious websites ",{"children":" for redirecting users to malicious websites "}],["$","$L3b","https://snapshot.org/#/opalnode.eth/proposal/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1",{"className":"link","uri":"https://snapshot.org/#/opalnode.eth/proposal/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1","children":["$","$39","3-https://snapshot.org/#/opalnode.eth/proposal/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1",{"children":"https://snapshot.org/#/opalnode.eth/proposal/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480998cc4f2ef55bb69e4","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Modify the proposal ID in the URL to an arbitrary or malicious one. For example:",{"children":"Modify the proposal ID in the URL to an arbitrary or malicious one. For example:"}]],"$undefined"]}],["$","$L3c","1d96d11db4548001ac60d17b8a13ac90",{"id":"1d96d11db4548001ac60d17b8a13ac90","children":null,"hasContent":false,"parentId":"1d96d11db45480ac92f9e9046aae1285","title":"$3d","updatedAt":1745002259974,"type":"code","language":"Plain Text","wrap":true,"link":null}],[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db4548065b0b5f5fe2535225f"}],["$","h3",null,{"id":"block-1d96d11db4548065b0b5f5fe2535225f","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","$39","0-PoC",{"children":"PoC"}]],"$undefined"]}]],["$","p",null,{"id":"block-1d96d11db454800e91cffed9b2c868d7","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Open the URL: ",{"children":"Open the URL: "}],["$","$L3b","https://app.bean.money/#/governance/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1",{"className":"link","uri":"https://app.bean.money/#/governance/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1","children":["$","$39","1-https://app.bean.money/#/governance/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1",{"children":"https://app.bean.money/#/governance/0x305a305aab6542e005744b592d62f8ca9a2df7f4959d4aa722179fc98b9750a1"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480c6b41fe06438d6e8bc","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-You will see arbitrary code execution and be redirected to a malicious website ",{"children":"You will see arbitrary code execution and be redirected to a malicious website "}],["$","$L3b","https://attacker.com/",{"className":"link","uri":"https://attacker.com/","children":["$","$39","1-https://attacker.com/",{"children":"https://attacker.com/"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480ed805cd7a3e42ecee8","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Please see the attached PoC : ",{"children":"Please see the attached PoC : "}],["$","$L3b","https://drive.google.com/file/d/1uc6g5C1e1QH1cj-CiP_nO7vf81-bYn7D/view?usp=sharing",{"className":"link","uri":"https://drive.google.com/file/d/1uc6g5C1e1QH1cj-CiP_nO7vf81-bYn7D/view?usp=sharing","children":["$","$39","1-https://drive.google.com/file/d/1uc6g5C1e1QH1cj-CiP_nO7vf81-bYn7D/view?usp=sharing",{"children":"https://drive.google.com/file/d/1uc6g5C1e1QH1cj-CiP_nO7vf81-bYn7D/view?usp=sharing"}]}],["$","$39","2- Sorry, while recording the PoC, my network was slow, and the website loaded very slowly. Anyway, I hope it’s clear",{"children":" Sorry, while recording the PoC, my network was slow, and the website loaded very slowly. Anyway, I hope it’s clear"}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480e68f37d546fc7ef6ea","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Note, this is a simple test code for redirecting users to malicious websites. In this case, it will redirect to attacker.com. The impact of this vulnerability depends on the nature of the malicious code involved. For the PoC (proof of concept), I have shown a simple redirection to attacker.com",{"children":"Note, this is a simple test code for redirecting users to malicious websites. In this case, it will redirect to attacker.com. The impact of this vulnerability depends on the nature of the malicious code involved. For the PoC (proof of concept), I have shown a simple redirection to attacker.com"}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db454806db4c4fad2228981a0","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-The status and severity are at your discretion. Let me know if you want further information.",{"children":"The status and severity are at your discretion. Let me know if you want further information."}]],"$undefined"]}]],"hasContent":true,"parentId":"bug-reports-bic-notes-report-36912","title":"$3f","updatedAt":1745002240147,"type":"toggle","subType":null,"depth":null,"color":null}],[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db45480b09d31e730e446bd81"}],["$","h2",null,{"id":"block-1d96d11db45480b09d31e730e446bd81","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","$39","0-BIC Response",{"children":"BIC Response"}]],"$undefined"]}]],["$","p",null,{"id":"block-1d96d11db454800dbe00e3f77d4103ba","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$39","0-Thank you for your report. Upon review, we have determined the impact to be out of scope of our bug bounty program. Thus we are closing the report and no reward will be issued.",{"children":"Thank you for your report. Upon review, we have determined the impact to be out of scope of our bug bounty program. Thus we are closing the report and no reward will be issued."}]],"$undefined"]}]],"hasContent":true,"parentId":"81d407a13ac34b24afbd8ae2f633beb8","title":"$43","updatedAt":1745002322110,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"📄","createdTime":1744999162471,"lastEditedTime":1745002322110,"createdBy":"$45","lastEditedBy":"$49","layout":null,"propertySort":"$4d","uri":"/bug-reports/bic-notes/report-36912","fullWidth":false,"smallText":false,"noCover":true,"superProperties":"$51","propertyValues":"$52","blockId":"1d96d11d-b454-8094-be6b-de80ae0a2259","isRoot":true,"ctx":{"head":{"url":"https://community.bean.money/bug-reports/bic-notes/report-36912","title":"Report #36912","description":"Thank you for your report. Upon review, we have determined the impact to be out of scope of our bug bounty program. Thus we are closing the report and no reward will be issued.","root":"$5a","image":null,"canonical":null,"author":null,"favicon":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/8eb7da25-afae-45ec-95dc-67fbfc3937de/bean-200x200/public","breadcrumbs":"$5b"},"settings":{"siteId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3","userId":"94389423-1c7a-40c3-9765-f058817c571a","domainName":"community.bean.money","name":"Beanstalk Notion","active":true,"free":false,"tier":"personal","favicon":null,"fontFamily":"Inter","legacyTheme":"default","language":"en","notionPage":"d2246af0639c440b9153316b52856b7d","indexPageId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3:::46bdfa5c-fa89-4a73-825f-88aeb87b1162","pageProperties":true,"pageSyncing":true,"viewSwitcher":true,"layoutSidePanel":true,"siteSearch":true,"advancedSearch":false,"themeToggle":false,"mondayFirst":false,"loadLimits":false,"hidePersonInfo":false,"showPropertyIcons":false,"redirectSubdomain":null,"noIndex":false,"viewsExceeded":false,"cacheTTL":180000,"manualSync":false,"syncStatus":"unsynced","publishedAt":null,"navbar":null,"footer":null,"sidebar":null,"theme":{"layout":{"paddingLayout":0.6,"layoutMaxWidth":900,"columnSpacing":46,"borderThicknessLayout":1,"borderTypeLayout":"solid","borderRadiiLayout":5,"pageDisplay":"flex"},"header":{"coverHeight":30,"titleAlign":"left","iconAlign":"-112px auto auto auto","display":"block"},"collectionCard":{"gap":10,"shadow":"rgba(15, 15, 15, 0.1) 0px 0px 0px 1px, rgba(15, 15, 15, 0.1) 0px 2px 4px","coverHeightLarge":200,"coverHeightMedium":200,"coverHeightSmall":128,"titleSize":0.875,"coverSizeSmall":172,"coverSizeMedium":260,"coverSizeLarge":320,"iconDisplay":"inline-flex"},"callout":{"iconDisplay":"block","shadow":"none"},"typography":{"primaryFont":"Inter","secondaryFont":"Inter","fonts":[],"baseSize":16,"titleSize":2.5,"quoteSize":1.2,"quoteSizeLarge":1.4,"headingSize":1,"textWeight":"normal","headingWeight":"600"},"scrollbar":{"width":15},"navbar":{"height":56,"shadow":"rgba(0, 0, 0, 0.12) 0px 10px 20px -6px"},"sidebar":{"width":280,"shadow":"rgba(0, 0, 0, 0.12) 0px 10px 20px -6px"},"colors":{"light":{"text":"#37352F","textLight":"#7d7c78","background":"#ffffff","borderColor":"#E9E9E7","checkboxBackground":"#2EAADC","hoverBackground":"#efefef","scrollbar":{"background":"#FAFAFA","handle":"#C1C1C1","border":"#E8E8E8"},"navbar":{"background":"#ffffff","buttonBackground":"#37352F","buttonText":"#ffffff","text":"#37352F"},"footer":{"background":"#ffffff","buttonBackground":"#37352F","buttonText":"#ffffff","text":"#37352F"},"sidebar":{"background":"#ffffff","hoverBackground":"#efefef","ctaBackground":"#ffffff","ctaText":"#37352F","text":"#37352F","border":"#E9E9E7"},"database":{"cardBackground":"#ffffff","cardHoverBackground":"#f9f9f8","calendarWeekendBackground":"#f7f6f3"},"form":{"submitButton":{"default":"#55534E","gray":"#A7A39A","brown":"#9A6851","orange":"#D9730D","yellow":"#CA922F","green":"#448361","blue":"#327DA9","purple":"#8F64AF","pink":"#C24C8B","red":"#D44E49"}},"default":[45,8,20],"gray":[45,2,46],"brown":[19,31,47],"orange":[30,87,45],"yellow":[38,62,49],"green":[149,31,39],"blue":[202,53,43],"purple":[274,32,54],"pink":[328,48,53],"red":[2,62,55]},"dark":{"text":"#e1e1e1","textLight":"#9b9b9b","background":"#191919","borderColor":"#373737","checkboxBackground":"#2EAADC","hoverBackground":"#292929","scrollbar":{"background":"#FAFAFA","handle":"#C1C1C1","border":"#E8E8E8"},"navbar":{"background":"#191919","buttonBackground":"#e1e1e1","buttonText":"#191919","text":"#e1e1e1"},"footer":{"background":"#191919","buttonBackground":"#e1e1e1","buttonText":"#191919","text":"#e1e1e1"},"sidebar":{"background":"#191919","hoverBackground":"#292929","ctaBackground":"#191919","ctaText":"#e1e1e1","text":"#e1e1e1","border":"#373737"},"database":{"cardBackground":"#212121","cardHoverBackground":"#292929","calendarWeekendBackground":"#202020"},"form":{"submitButton":{"default":"#55534E","gray":"#A7A39A","brown":"#9A6851","orange":"#D9730D","yellow":"#CA922F","green":"#448361","blue":"#327DA9","purple":"#8F64AF","pink":"#C24C8B","red":"#D44E49"}},"default":[45,8,20],"gray":[0,0,61],"brown":[18,35,58],"orange":[25,54,53],"yellow":[38,54,54],"green":[146,32,47],"blue":[217,50,58],"purple":[270,55,62],"pink":[329,57,58],"red":[1,69,60]}}},"code":"$33","files":"$37","hasPassword":false,"hasFeed":false},"records":"$5f","pageId":"bug-reports-bic-notes-report-36912"}}]]}],["$","$L16d",null,{"id":"bug-reports-bic-notes-report-36912","children":"$62","hasContent":true,"parentId":"81d407a13ac34b24afbd8ae2f633beb8","title":"$43","updatedAt":1745002322110,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"📄","createdTime":1744999162471,"lastEditedTime":1745002322110,"createdBy":"$45","lastEditedBy":"$49","layout":null,"propertySort":"$4d","uri":"/bug-reports/bic-notes/report-36912","fullWidth":false,"smallText":false,"noCover":true,"superProperties":"$51","propertyValues":"$52","blockId":"1d96d11d-b454-8094-be6b-de80ae0a2259","ctx":"$16e"}]]}]